System and Method for Secure Transport of Data from an Operating System to a Pre-Operating System Environment

PublishedJuly 3, 2018

Assigneenot available in USPTO data we have

InventorsRicardo L. Martinez Anand P. Joshi

Technical Abstract

Patent Claims

20 claims

Legal claims defining the scope of protection, as filed with the USPTO.

1. An information handling system comprising: a key generator; a trusted platform module (TPM) operable to provide boot authentication for the information handling system, such that, during a first pre-boot phase, the TPM is operable to provide access to a first platform configuration register (PCR) of the TPM; and a storage device; wherein, during a first in time instance of the first pre-boot phase, the information handling system is operable to: direct the key generator to provide a first public/private key pair including a first public key and a first private key; store the first private key to an encrypted storage of the TPM, wherein the TPM is operable to provide boot authentication for the information handling system, such that, during the first pre-boot phase, the TPM is operable to provide access to the first PCR; seal the first private key to the first PCR in the first pre-boot phase; and store the first public key to the storage device; and wherein, during an operating system (OS) phase that is after the first in time instance of the first pre-boot phase, the information handling system is further operable to: retrieve the first public key from the storage device; encrypt first transfer data using the first public key, wherein the first transfer data is to be securely transported between the OS phase and the first pre-boot phase, wherein the first transfer data including an Advanced Configuration and Power interface (ACPI) table for the information handling system; and store the encrypted first transfer data to the storage device.

2. The information handling system of claim 1 , wherein further, during a second in time instance of the first pre-boot phase that is after the OS phase, the information handling system is further operable to: retrieve the first private key sealed to the first PCR from the encrypted storage; retrieve the encrypted first transfer data from the storage device; and decrypt the encrypted first transfer data using the first private key.

3. The information handling system of claim 2 , wherein, during the OS phase, the information handling system is further operable to: encrypt second transfer data using the first public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and store the encrypted second transfer data to the storage device.

4. The information handling system of claim 3 , wherein further, during the second in time instance of the first pre-boot phase, the information handling system is further operable to: retrieve the encrypted second transfer data from the storage device; and decrypt the encrypted second transfer data using the first private key.

5. The information handling system of claim 1 , wherein: during a second pre-boot phase, the TPM is operable to provide access to a second PCR of the TPM; during a first in time instance of the second pre-boot phase that is before the OS phase, the information handling system is further operable to: provide a second public/private key pair including a second public key and a second private key; store the second private key to the encrypted storage; seal the second private key to the second PCR in the second pre-boot phase; and store the second public key to the storage device; and during the OS phase, the information handling system is further operable to: retrieve the second public key from the storage device; encrypt second transfer data using the second public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and store the encrypted second transfer data to the storage device.

6. The information handling system of claim 5 , wherein further, during a second in time instance of the second pre-boot phase that is after the OS phase, the information handling system is further operable to: retrieve the second private key sealed to the second PCR from the encrypted storage; retrieve the encrypted second transfer data from the storage device; and decrypt the encrypted second transfer data using the second private key.

7. The information handling system of claim 1 , wherein the first transfer data comprises network proxy authentication information.

8. A method comprising: providing, by a key generator of an information handling system and during a first in time instance of a first pre-boot phase for the information handling system a first public/private key pair including a first public key and a first private key; storing, during the first in time instance of the first pre-boot phase, the first private key to an encrypted storage of a trusted platform module (TPM) of the information handling system; sealing the first private key to a first platform configuration register (PCR) of the TPM in the first pre-boot phase, wherein the TPM is operable to provide boot authentication for the information handling system, such that, during the first pre-boot phase, the TPM is operable to provide access to the first PCR; storing, during the first in time instance of the first pre-boot phase, the first public key to a storage device of the information handling system; retrieving, during an operating system (OS) phase that is after the first in time instance of the first pre-boot phase, the first public key from the storage device; encrypting, during the OS phase, first transfer data using the first public key, wherein the first transfer data is to be securely transported between the OS phase and the first pre-boot phase, the first transfer data including an Advanced Configuration and Power Interface (ACPI) table for the information handling system; and storing, during the OS phase, the encrypted first transfer data to the storage device.

9. The method of claim 8 , further comprising: retrieving, during a second in time instance of the first pre-boot phase that is after the OS phase, the first private key sealed to the first PCR from the encrypted storage; retrieving, during the second in time instance of the first pre-boot phase, the encrypted first transfer data from the storage device; and decrypting, during the second in time instance of the first pre-boot phase, the encrypted first transfer data using the first private key.

10. The method of claim 9 , further comprising: encrypting, during the OS phase, second transfer data using the first public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and storing, during the OS phase, the encrypted second transfer data to the storage device.

11. The method of claim 10 , further comprising: retrieving, during the second in time instance of the first pre-boot phase, the encrypted second transfer data from the storage device; and decrypting, during the second in time instance of the first pre-boot phase, the encrypted second transfer data using the first private key.

12. The method of claim 8 , further comprising: providing, by the information handling system and during a first in time instance of a second pre-boot phase for the information handling system that is before the OS phase, a second public/private key pair including a second public key and a second private key; storing, during the first in time instance of the second pre-boot phase, the second private key to the encrypted storage; sealing the second private key to a second PCR of the TPM in the second pre-boot phase, wherein the TPM is further operable to provide the boot authentication, such that, during the second pre-boot phase, the TPM is operable to provide access to the second PCR; storing, during the first in time instance of the second pre-boot phase, the second public key to the storage device; and retrieving, during the OS phase, the second public key from the storage device; encrypting, during the OS phase, second transfer data using the second public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and storing, during the OS phase, the encrypted second transfer data to the storage device.

13. The method of claim 12 , further comprising: retrieving, during a second in time instance of the second pre-boot phase that is after the OS phase, the second private key sealed to the second PCR from the encrypted storage; retrieving, during the second in time instance of the second pre-boot phase, the encrypted second transfer data from the storage device; and decrypting, during the second in time instance of the first pre-boot phase, the encrypted second transfer data using the second private key.

14. The method of claim 8 , wherein the first transfer date comprises network proxy authentication information.

15. A non-transitory computer-readable medium including code for performing a method, the method comprising: providing, by a key generator of an information handling system and during a first in time instance of a first pre-boot phase for the information handling system a first public/private key pair including a first public key and a first private key; storing, during the first in time instance of the first pre-boot phase, the first private key to an encrypted storage of a trusted platform module (TPM) of the information handling system; sealing the first private key to a first platform configuration register (PCR) of the TPM in the first pre-boot phase, wherein the TPM is operable to provide boot authentication for the information handling system, such that, during the first pre-boot phase, the TPM is operable to provide access to the first PCR; storing, during the first in time instance of the first pre-boot phase, the first public key to a storage device of the information handling system; retrieving, during an operating system (OS) phase that is after the first in time instance of the first pre-boot phase, the first public key from the storage device; encrypting, during the OS phase, first transfer data using the first public key, wherein the first transfer data is to be securely transported between the OS phase and the first pre-boot phase, the first transfer data including a System Management BIOS (SMBIOS) for the information handling system; and storing, during the OS phase, the encrypted first transfer data to the storage device.

16. The computer-readable medium of claim 15 , the method further comprising: retrieving, during a second in time instance of the first pre-boot phase that is after the OS phase, the first private key sealed to the first PCR from the encrypted storage; retrieving, during the second in time instance of the first pre-boot phase, the encrypted first transfer data from the storage device; and decrypting, during the second in time instance of the first pre-boot phase, the encrypted first transfer data using the first private key.

17. The computer-readable medium of claim 16 , the method further comprising: encrypting, during the OS phase, second transfer data using the first public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and storing, during the OS phase, the encrypted second transfer data to the storage device.

18. The computer-readable medium of claim 17 , the method further comprising: retrieving, during the second in time instance of the first pre-boot phase, the encrypted second transfer data from the storage device; and decrypting, during the second in time instance of the first pre-boot phase, the encrypted second transfer data using the first private key.

19. The computer-readable medium of claim 15 , the method further comprising: providing, by the information handling system and during a first in time instance of a second pre-boot phase for the information handling system that is before the OS phase, a second public/private key pair including a second public key and a second private key; storing, during the first in time instance of the second pre-boot phase, the second private key to the encrypted storage; sealing the second private key to a second PCR of the TPM in the second pre-boot phase, wherein the TPM is further operable to provide the boot authentication, such that, during the second pre-boot phase, the TPM is operable to provide access to the second PCR; storing, during the first in time instance of the second pre-boot phase, the second public key to the storage device; and retrieving, during the OS phase, the second public key from the storage device; encrypting, during the OS phase, second transfer data using the second public key, wherein the second transfer data is to be securely transported between the OS phase and the first pre-boot phase; and storing, during the OS phase, the encrypted second transfer data to the storage device.

20. The computer-readable medium of claim 15 , wherein the first transfer date comprises network proxy authentication information.

Patent Metadata

Filing Date

Unknown

Publication Date

July 3, 2018

Inventors

Ricardo L. Martinez

Anand P. Joshi

Want to explore more patents?

Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.

Browse All Patents Try Prior Art Search